CORS headers for s.w.org

Would it be possible to enable CORS headers on s.w.org?
A number of CSSCSS CSS is an acronym for cascading style sheets. This is what controls the design or look and feel of a site./JS features require accessing images/svg/fonts via a fetch request, and currently they’ll be blocked due to a cross-origin request. That means we can’t serve svgs, fonts, and some CSS/JS files from the s.w.org CDN and instead use wordpress.org.

I assume these headers would suffice, which conveniently matches s0.wp.com‘s headers, so I assume would be safe for us to do.

access-control-allow-methods: GET, HEAD
access-control-allow-origin: *

If we need to limit it to certain filetypes, images (.svg, .png, .jpg), fonts (.woff2 .woff, .ttf, .eot) and styles/scripts (.css, .js) would probably suffice, but I don’t think there’s any security requirement to do so given the contents of this CDN are static non-cookied non-modifying responses?

Existing cached assets should be fine to be left as-is without the headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes..

Let me know if there’s any questions or concerns.

#crossorigin #cdn #prio3

➜ ~ curl -I https://s.w.org/images/core/emoji/13.1.0/svg/1f971.svg HTTP/2 200 server: nginx date: Wed, 11 May 2022 09:56:09 GMT content-type: image/svg+xml content-length: 1379 vary: Accept-Encoding last-modified: Mon, 07 Jun 2021 18:52:47 GMT x-frame-options: SAMEORIGIN expires: Thu, 31 Dec 2037 23:55:55 GMT cache-control: max-age=315360000 access-control-allow-methods: GET, HEAD access-control-allow-origin: * x-nc: HIT vie 2 x-content-type-options: nosniff accept-ranges: bytes ➜ ~

Yordan 10:06 am on May 11, 2022
This is done for s.w.org and requested file extensions.

Example:
```
➜  ~ curl -I https://s.w.org/images/core/emoji/13.1.0/svg/1f971.svg
HTTP/2 200
server: nginx
date: Wed, 11 May 2022 09:56:09 GMT
content-type: image/svg+xml
content-length: 1379
vary: Accept-Encoding
last-modified: Mon, 07 Jun 2021 18:52:47 GMT
x-frame-options: SAMEORIGIN
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
access-control-allow-methods: GET, HEAD
access-control-allow-origin: *
x-nc: HIT vie 2
x-content-type-options: nosniff
accept-ranges: bytes
➜  ~
```
- Dion Hulse 2:31 am on May 12, 2022
  
  Thank you! This seems to work great in production.
  
  However, could this also be sync’d to sandboxes for when s.w.org is served from there?
  - Yordan 1:03 pm on May 12, 2022
    
    This has been deployedDeploy Launching code from a local development environment to the production web server, so that it's available to visitors. on sandboxes as well.
    - Dion Hulse 2:45 am on May 19, 2022
      
      @yordanko Can’t believe it took me a week to notice this.. the sandbox headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. values are inverse of what they should be, the Methods are in the Origin, and the Origin in the Methods.
      
      $ curl -Is 'https://s.w.org/wp-content/mu-plugins/pub-sync/global-fonts/Inter/Inter.woff2?v=123123' | grep ^Access-Control Access-Control-Allow-Methods: * Access-Control-Allow-Origin: GET, HEAD
      - Yordan 6:54 am on May 19, 2022
        
        Hi @dd32,
        
        Sorry about this, looks like I’ve misplaced the headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. variables and didn’t notice that while testing. The issue has been fixed and deployedDeploy Launching code from a local development environment to the production web server, so that it's available to visitors..